Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
OpenID Connect Service contains the properties that affect the Data Governance Broker OpenID Connect Services.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from OpenID Connect Services:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ authorization-code-validity-duration | None |
| ↓ access-token-validity-duration | |
| ↓ refresh-token-validity-duration | |
| ↓ id-token-validity-duration | |
| ↓ id-token-issuer-name | |
| ↓ default-acr | |
| ↓ access-token-provider |
authorization-code-validity-duration
| Description | Specifies the default validity duration of an authorization code. Applications may also specify a different validity duration that is specific to authorization codes generated for that application and will override this property. |
| Default Value | 1 m |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
access-token-validity-duration
| Description | Specifies the default validity duration of an access token. Applications may also specify a different validity duration that is specific to access tokens granted for that application and will override this property. |
| Default Value | 12 h |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
refresh-token-validity-duration
| Description | Specifies the default validity duration of a refresh token. Applications may also specify a different validity duration that is specific to refresh tokens generated for that application and will override this property. A value of "0 s" will disable the generation of refresh tokens. |
| Default Value | 30 d |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the default validity duration of an OpenID Connect ID Token. Applications may also specify a different validity duration that is specific to id tokens granted for that application and will override this property. |
| Default Value | 15 m |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies a unique identifier for the Issuer (iss) claim of an ID Token. This value of this property is inserted into a URL of the form https://issuer_name when returned as the unique issuer identifier in an OpenID Connect ID Token. As an initial default, the create-initial-broker-config tool will populate this property with the host name of the Data Governance Broker installation, however it may be may be set to any value appropriate for the service provider. |
| Default Value | replace_this_value |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the default set of ACRs that may be used when authenticating users, in order of preference. |
| Default Value | If this is left empty, users may not be able to login during an OAuth flow. |
| Allowed Values | The DN of any Authentication Context Class. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the OAuth2 access token provider that should be used by the OpenID Connect Service. |
| Default Value | OAuth 2 and OpenID Connect services will not be able to mint access tokens. |
| Allowed Values | The DN of any Access Token Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the OpenID Connect Service configuration:
dsconfig get-openid-connect-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the OpenID Connect Service configuration:
dsconfig set-openid-connect-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...